Situational Assessment of Intrusion Alerts:

A Multi Attack Scenario Evaluation

Hadi Shiravi∗, Ali Shiravi∗, and Ali A. Ghorbani

Information Security Centre of Excellence,University of New Brunswick, Canada

{hadi.shiravi,ali.shiravi,ghorbani}@unb.ca

Abstract. In this research study, we focus on intrusion alerts and theburden of analyzing numerous security events by network administra-tors. We present Avisa2, a network security visualization system thatcan assist in the comprehension of IDS alerts and detection of abnormalpattern activities. The quantity of security events triggered by modernday intrusion systems, accompanied by the level of complexity and lackof correlation between events, limits the human cognitive process in iden-tifying anomalous behavior. This shortcoming induces the need for anautomated process that would project critical situations and prioritizenetwork hosts encountering peculiar behaviors. At the heart of Avisa2

lies a collection of heuristic functions that are utilized to score, rank,and prioritize internal hosts of the monitored network. We believe thiscontribution elevates the practicality of Avisa2 in identifying critical sit-uations and renders it to be far superior to traditional security systemsthat solely focus on visualization. The effectiveness of Avisa2 is evaluatedon two multi-stage attack scenarios; each intentionally focused on a par-ticular attack type, network service, and network range. Avisa2 provedeffective and accurate in prioritizing hosts under attack or hosts in whichattacks were performed from.

Keywords: Visualization, IDS Alerts, Situational Awareness, HeuristicFunction, Exponential smoothing.

1 Introduction

Intrusion signatures are continuously updated to generalize the behavior of aknown exploit rather than to be targeted towards a specific malware. As a con-sequence of this behavior, a higher volume of legitimate traffic is flagged asmalicious, generating a higher number of intrusion alerts leading to the phe-nomenon of false positives. A major issue that false positives create is that theycan easily distort legitimate alerts from being seen by an administrator. Networksecurity visualization is an emerging field that has been developed with theseshortcomings in mind. Security visualization accentuates fundamental matters

∗ Hadi Shiravi and Ali Shiravi contributed equally to this work.

S. Qing et al. (Eds.): ICICS 2011, LNCS 7043, pp. 399–413, 2011.c© Springer-Verlag Berlin Heidelberg 2011

400 H. Shiravi, A. Shiravi, A.A. Ghorbani

of information visualization and synthesizes it with security audit traces, de-manding novel techniques for the purpose of exploratory analysis [1]. The maingoal of security visualization is to give insight with which the ability to identify,process, and comprehend malicious behavior is achieved. However, the humanvisual system has rules of its own. We can only perceive patterns, trends, andexceptions if they are displayed in certain ways, or in better words, if they obeythe rules of the human visual system [2]. In order to design visualizations thatexploit this fast and powerful processor we need to find features that can beperceived rapidly, properties that are good discriminators, and characteristicsthat abide by the laws of our visual system. This in return allows for a moreeffective analysis of complex data while enhancing the situational awareness ofthe security analyst.

Situational awareness is viewed in [3] as a “state of knowledge that resultsfrom a process” and must be distinguished from the process used to acquirethat state. Subsequently, situation assessment is “the process” used to achievethat knowledge and is considered an aid in the cognitive process of situationawareness. A situation assessment process must automatically identify and eval-uate the impact of underlying events and relate them to assets of the monitorednetwork.

In this paper, we utilize a collection of time based, parameterized heuris-tic functions as the basis of our situation assessment component to collectivelyidentify and prioritize hosts of peculiar behavior. The output of the situationassessment component- a collection of hosts within the monitored network witha higher abnormality score- is then visualized through a novel security visualiza-tion system. The situation assessment component is evaluated on two multi-stepattack scenarios executed on our Centre’s benchmark dataset, each carefullycrafted and aimed towards recent trends in security threats.

In this paper, we make the following contributions;

– Formalization of parameterized heuristic functions as the basis of a situa-tion assessment component to combat constraints imposed on conventionalsecurity visualization systems.

– Design and implementation of a novel security visualization system for dis-playing a selective number of hosts and their corresponding alerts in aninteractive and exploratory manner.

The remainder of this paper is organized as follows. Section 2 looks deep intosecurity visualization as issues and concerns regarding modern network securityvisualization systems are elaborated on. Section 3 articulates the philosophyof incorporating heuristic functions as an automated process of estimating andprojecting critical situations. Section 4 introduces seven distinct features utilizedin identifying hosts with malicious behavior. In Section 5 the host selectionalgorithm is proposed and its functionality is described in length. In Section 6,we express the proposed visualization system, Avisa2, with details regardingits design. The visualization system and its underlying heuristic functions areevaluated in Section 7. The paper is summarized in Section 8 with suggestionsfor future work and further extensions.

Situational Assessment of Intrusion Alerts 401

2 Limitations of Security Visualization Systems

A class of visualization systems, namely [4,5], have focused greatly on not onlyvisualizing the state of one or a limited number of hosts as seen in [6], but ondepicting the interaction of a large number of internal hosts with respect toexternal sources. This class solely focuses on visualization techniques to combatlarge quantities of network related data, often resulting in occlusion as mostsystems are largely faced with scalability issues. This fact reiterates the needfor a process that can identify hosts with anomalous behavior and to projectthe processed results on a visualization system. In this manner, the load onthe visualization system is reduced considerably; allowing for a near real timeanalysis of events and thereby a more responsive system is accessible.

As apposed to the aforementioned systems, where the emphasis is mainly onhigher level activity of hosts, a collection of visualization systems are gearedtowards visualizing the port activity of a single or a collection of hosts within amonitored network [7]. Developers of these system assert that various malwareprograms often manifest themselves in abnormal port activity which can bedetected through visualization systems. This argument may have been correctin the past, but as applications tend to evolve over time and adjust how theycommunicate over the Internet, they become increasingly evasive. Almost twothirds of all enterprise traffic is currently routed through ports 80 (HTTP) and443 (HTTPS) [8]. This change in behavior greatly influences the objectives ofport activity visualization systems as their focus should shift towards in-depthanalysis of only a predominant number of ports rather than depicting the activityof the full port range.

The fascinating ability of visualization in providing insight into the attackdetection process should be considered as the main contribution of a securityvisualization system. Current visualization systems devised for the process ofdetecting attack patterns [9], are in most cases used independent of other securityproducts in a network. Visualization systems should be thought as systems thatprovide insight into areas that other security systems fail to enlighten. Anymalicious behavior detected should then be analyzed and automated, if possible,so that an automated application can handle the task in future; conservinghuman time and attention.

3 Enhancing Situation Awareness via AutomatedHeuristic Functions

In this study we have taken an approach to decrease the amount of visual clut-ter by decreasing the number of hosts and consequently reducing the numberof alerts displayed at each interval through a situation assessment process com-prised of multiple heuristic functions. These functions are further elaboratedbelow.

402 H. Shiravi, A. Shiravi, A.A. Ghorbani

3.1 Exponential Smoothing

In an exponential moving average the effect of recent values is expected to de-cline exponentially over time to mitigate the effects of extreme observations. Let{yt} = {· · · yt−1, yt, yt+1 · · · } denote a sequence of non-negative real numbers in-dexed by some time subscript t. Call such a sequence of variables a time series.An n-period exponential smoothing of a time series yt is defined as

Zt (n) =n−1∑

j=0

wj · yt−j , wj =αj−1

∑n−1j=0 αj−1

(1)

where 0 ≤ α < 1 is the smoothing constant. As n → ∞, αn → 0, wn → 0,Equation 1 can be defined independently of the window width n. The geometricdecline in Equation 1 can be calculated efficiently using recursion

Zt (α) = (1 − α) yt + αZt−1 (α) (2)

where yt is the observation at time t, Zt−1 is the value of the exponential smooth-ing in the previous period, and Zt is the value of exponential smoothing at timet. The smoothing constant, α, controls the memory of the process such that thesmaller the smoothing constant, the more weight is given to recent observations.

3.2 Exponential Smoothing Difference

In this category of heuristic function, emphasis is put toward the changing be-havior of a feature’s value rather than the absolute value itself. Running an ex-ponential moving average over the difference of the current and previous valuesof a feature provides a means to filter constant activity and to reward increas-ing values. An n-period exponential smoothing difference of a time series yt isdefined recursively as

Dt (α) = (1 − α) (yt − yt−1) + αDt−1 (α) (3)

where 0 ≤ α < 1 is the smoothing constant, yt is the observation at time t, yt−1

is the observation at time t − 1, Dt−1 is the value of the exponential smooth-ing difference in the previous period, and Dt is the value of the exponentialsmoothing difference at time t.

3.3 Dispersion

A measure of dispersion can give a numerical indication of how scattered, orconcentrated, a collection of events are over a certain period of time. The mostcommonly used measure of dispersion is the sample standard deviation, s, thesquare root of the sample variance given by

s =

√√√√ 1n − 1

n∑

i=1

(xi − x)2 (4)

where x1, x2, · · · , xn are the n samples observations and x is the sample mean.

Situational Assessment of Intrusion Alerts 403

4 Distinctive Set of Features

Let r(R) denote a relation on the relation schema R(A1, A2, · · · , An), where{A1, A2, · · · , An} is a set of attributes. Also, let Di denote the domain of per-mitted values of attribute Ai. A relation r is a set of n-tuples (a1, a2, · · · , an)where each ai ∈ Di. This paper models alerts as relation Λ, where Λ is a subsetof the Cartesian product of the domains of its attributes. Based on this defi-nition and for the attribute set {ID, Category, SrcIP, T ime, · · · }, current timewindow τ1 = ta ≤ T ime < tb, and prior time window τ0 = t0 ≤ T ime < ta thefollowing seven features have been defined:

(1) Aiτ1

:= Fcount(ID) (σTime=τ1 (Λi))(2) ACi

τ1:=Category Fcount(∗) (σTime=τ1 (Λi))

(3) Siτ1

:= Fcount(SrcIP ) (πSrcIP (σTime=τ1 (Λi)))

(4) PSiτ1,τ0

:=Fcount(SrcIP )(πSrcIP (W i

τ1−W i

τ0))

Fcount(SrcIP )(πSrcIP (W iτ1))

, W iτ := πSrcIP (σTime=τ (Λi))

(5) Ciτ1

:= Fcount(AlertType) (πAlertType (σTime=τ1 (Λi)))

(6) PCiτ1,τ0

:=Fcount(T ype)(πCategory(V i

τ1−V i

τ0))

Fcount(Category)(πCategory(V iτ1

)) , V iτ := πCategory (σTime=τ (Λi))

(7) AT iτ1

:= πTime (σTime=τ1 (Λi)) ,

5 Heuristic Host Selection Algorithm

Algorithm 1 describes the heuristic host selection procedure. The algorithm takesas arguments a set of IDS generated alerts Λ from the current time windowta ≤ τ1 < tb and a set of features F accompanied with their respective userdefined weights W . The procedure outputs the top n hosts with the highest ab-normality scores. The host selection procedure is performed in two major steps:(1) For each host i ∈ H within the IDS alert stream input in the current timewindow (τ1), three heuristic functions as defined in Section 3 are calculated onthe set of features F = {A,AC,S,PS, C,PC,AT } (Lines 3-14). The exponential

smoothing is calculated on the first six features (Zijτ1) (Lines 4-6), the exponen-

tial smoothing difference on the first two features (Dijτ1) (Lines 7-9), and the

dispersion heuristic on the last feature (sijτ1

) (Lines 10-14).(2) The final score of each host is composed of the sum of three components:sum of exponential smoothings (Sτ1

Zi), sum of exponential smoothing differences

(Sτ1

Di), and sum of dispersion (Sτ1

si) (Lines 15-25). The value of each component

is calculated by multiplying the normalized value of a feature (Zijτ1 , D

ijτ1 , s

ijτ1) by

its respective user defined weight(Wj) and subsequently summing them for allfeatures of a heuristic category (Line 24).

In the final step the algorithm outputs the top n hosts with the highest scores.

404 H. Shiravi, A. Shiravi, A.A. Ghorbani

Algorithm 1. Heuristic Host Selection Algorithm

Input: Set of Alerts Λ, Set of Features F = {A,AC,S ,PS, C,PC,AT }, Set ofuser defined weights W =

{wZ

A, wZAC, wZ

S , wZPS , wZ

C , wZPC , wD

A , wDAC , ws

AT},

t0 ≤ τ0 < ta, ta ≤ τ1 < tb, n.Output: Top n hosts with highest scores.begin1

H ←− πDIP (σTime=τ1(Λ))2

// Calculate heuristic function for each host

foreach i ∈ H do3

// Exponential smoothing of first six features

for j ←− 1 to 6 do4

Zijτ1 ←− (1− α)F ij

τ1 + Zijτ05

end6

// Exponential smoothing difference of first two features

for j ←− 1 to 2 do7

Dijτ1 ←− (1− α) (F ij

τ1 − Fijτ0) + Dij

τ08

end9

// Dispersion of last feature

j ←− 710

k ←−∣∣F ij

τ1

∣∣11

x←−∑

x∈Fijτ1

x

k12

sijτ1 ←−

√1

k−1

∑x∈Fij

τ1(x− x)213

end14

// Calculate score for each host

foreach i ∈ H do15

// Sum score for normalized value of exponential smoothings

for j ←− 1 to 6 do16

Sτ1Zi←− Sτ1

Zi+ (Wj · Zij

τ1)17

end18

// Sum score for normalized value of exponential smoothing

differences

for j ←− 7 to 8 do19

Sτ1Di←− Sτ1

Di+ (Wj ·Dij

τ1)20

end21

// Sum score for normalized value of standard deviation

j ←− 922

Sτ1si←− Sτ1

si+ (Wj · sij

τ1)23

// Sum final score of host

Scoreiτ1 ←− Sτ1

Zi+ Sτ1

Di+ Sτ1

si24

end25

// Return top n hosts with highest scores

return top(Scoreτ1 , n)26

end27

Situational Assessment of Intrusion Alerts 405

6 Avisa2: A Network Security Visualization System

A screen shot of Avisa2 in action is illustrated Fig. 1. The system is composedof two main components, the radial visualization on the left and the informationstack on the right. Both components work in collaboration with each other tomaintain effective security situational awareness. This enables a rapid assessmentand investigation of relevant security events through direct user interaction andanalysis. Avisa2 presents an up-to-date display of network state by providing aninteractive visualization of real-time security events. This, combined with theautomatic situational assessment powers of the heuristic functions presents anideal visualization system that is capable of displaying prioritized situations tosecurity analysts for a better situation awareness.

Fig. 1. A screen shot of Avisa2 in action. The radial visualization on the left is thefocal point of the display, while the information stack on the right illustrates detail.

6.1 Radial Visualization

The radial visualization component of Avisa2 constitutes the focal point of thedisplay. As the output of the heuristic functions are calculated in 5 minuteintervals, the top n hosts of the monitored network are selected and are pipedas input to the visual component. The radial visualization creates an interactiveenvironment for analysts to perceive patterns, trends, and exceptions withinthe already prioritized data. Primitive attributes are the unique properties thatallow a visual element to be seen from an image. Primitive attributes such ashue, motion, size, length, intensity, and spatial grouping are used extensively toestablish visual prominence. The radial visualization itself is composed of twosubcomponents, namely the network host radial panel and the alert category dotpanel.

406 H. Shiravi, A. Shiravi, A.A. Ghorbani

Network Host Radial Panel. The network host radial panel is designed torepresent the output of the heuristic functions along with several attributes ina perceivable fashion. The prioritized network hosts are arranged along a radialpanel while the final quarter of the panel is reserved for displaying additionalinformation. As hosts are added or removed from the panel, they are animatedin place to assist in highlighting system transitions from one state to another.The primitive attributes length and color are utilized to visually differentiatehosts with higher and lower scores. At each time interval the height, color,and position of each host is animated from its previous value to its currentvalue. This is a feature that is rarely seen in security visualization systems dueto the selected development framework and complicated implementation issuessurrounding animation.

Alert Category Dot Panel. The alert category dot panel is designed to encodethe alert activity of a host. For each alert category a circle shaped element isdisplayed along a vertical line. Currently the panel is capable of displaying twentyalert categories with room for further extensions. In order to encode the numberof alerts in each category as a color, the number of alerts in each alert category isnormalized over all hosts. Accordingly, the values are arranged into equal lengthintervals while each interval is assigned a color. In this manner, it is very clearfor an analyst to see the different types of alerts a host or a collection of hostsare experiencing in one glance. Consequently, based on the assigned colors ananalyst can also grasp an idea on the number of alerts and if further detailedinformation is required, she can use the information stack on the right side ofthe system for further analysis.

6.2 Information Stack

The information stack works in collaboration with the radial visualization com-ponent to provide a greater insight into the underlying data. When a user selectsa host on the radial panel, the information stack queries for the required data anddisplays it in an informative and interactive manner. The stack is composed ofthree main components: the date time selector, the activity graph, and the alerttype performance table. The date time selector displays a panel of predefined orcustom time periods for an analyst to select. The toggle buttons are data boundto the underlying data and when pressed, the stack is updated dynamically. Theactivity graph displays a zoomable line chart and is used to display alert activ-ity in greater detail. The alert type performance table displays an overview ofthe alert categories experienced by the selected host by incorporating sparklinesand bullet graphs. Sparklines provide a bare-bones and space efficient time-seriesgraph. Selecting an alert category from the performance table displays its respec-tive sparkline graph in greater detail on the activity graph. A simplified versionof the bullet graph is also used to provide a comparison mechanism for the num-ber of alerts in each category. Avisa2 also provides low level details of the actualIDS alerts through the Alert Detail button of the stack.

Situational Assessment of Intrusion Alerts 407

7 Experimental Results and Evaluation

7.1 Scenario 1: Network Infiltration from the Inside

It is very common for computers on a network to access the Internet througha NAT server. This attack scenario is designed to show how a network withall workstations located behind a NAT can be infiltrated. In this case, whilethe target computers will be able to make connections to the Internet, it willnot be possible to establish a connection from outside to the target network.Thereby, client-side techniques such as executable encoding, host pivoting, socialengineering, and shell migration are utilized to exploit vulnerabilities on internalhosts and servers. Figure 2 provides a detailed illustration of the attack scenario.Each stage of the attack scenario accompanied with the analysis of Avisa2’sresults is articulated below and depicted in Fig. 3. The output score of each hostwithin the time window of Scenario 1 is also detailed in Appendix A.

VLan 1 VLan 2 VLan 5Server23

Attacker

(1)

(2)

(3)

(4)

(6)

(5)

(7)

(8,11)

(10)

(9,12,14)

(13)

Server22

Host12Host5Host

CompromisedHost

Server

CompromisedServer

Download File

Exploit

Scan

Upload Session

Fig. 2. An infographic detailing the multiple stages of attack scenario 1

(1) 15:30→15:35: A corrupt PDF file, containing a TCP connection binary, issent as an email attachment to all testbed users.(2,3) 16:10→16:15: Host 192.168.1.105 opens the corrupted PDF file, an AdobePDF vulnerability is exploited and a Meterpreter session is generated back tothe attacker. Avisa2 detects this and as shown in Fig. 3(a) and Table 1(a), host5is ranked first and has received the highest score.(4) 16:25→16:30: Nmap directory is download on host 192.168.1.105.(5) 16:35→16:40: Nmap is run to scan subnet 192.168.1.0/24 of testbed fromhost 192.168.1.105. Port scans often trigger numerous alerts and as illustratedin Fig. 3(b) and Table 1(b), Avisa2 has prioritized users of subnet 1.(6) 16:40→16:45: Nmap is run to scan subnet 192.168.2.0/24 of testbed fromhost 192.168.1.105. Avisa2 picks up on this behavior and as illustrated in Fig.3(c) and Table 1(c), users of subnet 2 have received the highest scores.(7,8) 16:45→16:50: SMB vulnerability on host 192.168.2.112 is exploited and aMeterpreter session is generated back to the attacker. Avisa2 detects this peculiar

408 H. Shiravi, A. Shiravi, A.A. Ghorbani

behavior and as illustrated in Fig. 3(d) and Table 1(d), host12 has received thehighest score and is ranked first.(9,10) 16:55→17:00: Nmap directory is downloaded on host 192.168.1.112; Nmapis run to scan subnet 192.168.5.0/24 of testbed from host 192.168.2.112. Althoughsnort correctly alerted on the exploit and the port scans, it failed to detect theNmap directory being downloaded on host12 and only a number of false positiveswere generated. But as illustrated in Figures 3(e),(f) and Tables 1(e), Avisa2

ranks host12 the highest in two consecutive time periods due to its peculiarbehavior. Due to the port scans performed on subnet 5, servers 23 and 24 areranked in the top 5 in Table 1(f) even though they have received no alerts inprevious intervals.(13) 17:10→18:30: Browser on host 192.168.1.112 connects to the internal webapplication running on 192.168.5.123 and starts performing SQL injection at-tacks. The attacker iterates through database tables and creates a new useraccount with administrator privileges. The user table of the database is subse-quently deleted to disallow further logins. The SQL injection attacks were notdetected by snort, but due to the remote desktop connection accessing server23,Avisa2 was able to rank server23 as the first or second host in this period. Thisis seen in detail in Tables 1(j) and (k).(14) 20:45→21:00: Attacker downloads a backdoor on host 192.168.2.112 anddisconnects all established sessions and finishes the attack scenario.

192.168.1.105

192.168.1.104

192.168.1.102

192.168.1.101

192.168.1.103

192.168.2.106

192.168.2.111

192.168.2.110

192.168.2.112

192.168.2.113

192.168.2.109

192.168.2.107

192.168.3.117

192.168.3.116

192.168.3.115

192.168.3.114

192.168.4.121

192.168.4.119

192.168.4.118

192.168.4.120

192.168.1.102

192.168.1.103

192.168.1.104

192.168.1.101

192.168.1.105

192.168.2.106

192.168.2.107

192.168.2.111

192.168.2.113

192.168.2.112

192.168.2.110

192.168.2.109

192.168.3.117

192.168.3.116

192.168.3.115

192.168.3.114

192.168.4.121

192.168.4.118

192.168.4.120

192.168.4.119

192.168.1.105

192.168.1.102

192.168.1.103

192.168.1.101

192.168.1.104

192.168.2.106

192.168.2.112

192.168.2.110

192.168.2.108

192.168.2.109

192.168.2.113

192.168.2.107

192.168.2.111

192.168.3.117

192.168.3.116

192.168.3.115

192.168.3.114

192.168.4.119

192.168.4.118

192.168.4.120

192.168.4.121

192.168.1.101

192.168.1.105

192.168.1.102

192.168.1.103

192.168.1.104

192.168.2.112

192.168.2.106

192.168.2.111

192.168.2.109

192.168.2.110

192.168.2.108

192.168.2.113

192.168.2.107

192.168.3.117

192.168.3.114

192.168.3.115

192.168.3.116

192.168.4.121

192.168.4.120

192.168.4.118

192.168.4.119

192.168.1.101

192.168.1.102

192.168.1.105

192.168.1.103

192.168.1.104

192.168.2.112

192.168.2.109

192.168.2.106

192.168.2.111

192.168.2.113

192.168.2.107

192.168.2.110

192.168.2.108

192.168.3.117

192.168.3.114

192.168.3.115

192.168.3.116

192.168.4.120

192.168.4.118

192.168.4.121

192.168.4.119

192.168.1.101

192.168.1.102

192.168.1.105

192.168.1.103

192.168.1.104

192.168.2.112

192.168.2.106

192.168.2.111

192.168.2.109

192.168.2.107

192.168.2.113

192.168.2.110

192.168.2.108

192.168.3.117

192.168.3.114

192.168.3.115

192.168.3.116

192.168.4.121

192.168.4.119

192.168.4.118

192.168.4.120

192.168.5.123

192.168.4.124

(a) 16:10 16:15 (2,3) (b) 16:35 16:40 (5) (c) 16:40 16:45 (6)

(d) 16:45 16:50 (7,8) (e) 16:50 16:55 (9,10) (f) 16:55 17:00 (10)

Fig. 3. Screen shots of Avisa2 displaying the stages of attack scenario 1

Situational Assessment of Intrusion Alerts 409

7.2 Scenario 2: HTTP Denial of Service

The second attack scenario is designed towards performing a stealthy, low band-width denial of service attack without the need to flood the network. We will beutilizing Slowloris as the main tool in this scenario as it has proven to makeWeb servers completely inaccessible using a single machine. Slowloris starts bymaking a full TCP connection to the remote server. The tool holds the connec-tion open by sending valid, incomplete HTTP requests to the server at regularintervals to keep the sockets from closing. Since any Web server has a finiteability to serve connections, it will only be a matter of time before all sock-ets are used up and no other connection can be made. This scenario picks upwhere scenario 1 left off by connecting to the backdoor created in the final stage.A detailed description on each stage of the attack scenario accompanied withthe analysis of Avisa2’s results and subsequent screen shots are given below. Theoutput score of each host within the time window of Scenario 2 is also illustratedin Appendix B.

Host

CompromisedHost

Server

CompromisedServer

Download File

Exploit

Scan

Upload Session

VLan 1

VLan 2

Attacker

(8)

(13)

(17)

(14) (1)

(2)

Host12

Host1

Server22

VLan 3Host15

Host17Host13

Host6

(3)

(6)

(7)

(9)

(10)(11)

(12)(15)

(16)

(18) (19)

(20)

(4)(5)

VLan 5

Fig. 4. An infographic detailing the multiple stages of attack scenario 2

(1) 16:55→17:00: Host 192.168.2.112 makes an outbound connection to the at-tacker through a backdoor. Snort detects host12 connecting to the attacker’smachine and subsequently, and as illustrated in Table 2(a), Avisa2 ranks host12the top host.(2) 17:15→17:20: Nmap is run to scan subnet 192.168.3.0/24 of testbed fromhost 192.168.2.112. Due to the scan on subnet 3, hosts 14,15,16, and 17 havereceived higher scores and as shown in Fig. 5(a) and Table 2(b), they are rankedamongst the top 5 hosts.(3,4) 17:20→17:25: SMB vulnerability is exploited on host 192.168.2.113 and aremote desktop connection is returned to the attacker. This exploit is partiallydetected by snort, but since the number of alerts generated in the previous periodis substantial, hosts 17,12, and 14 remain top hosts while host13 is ranked 4th.Figure 5(b) depicts this behavior.(5) 17:25→17:30: Host 192.168.2.113 downloads malicious files from remoteserver.

410 H. Shiravi, A. Shiravi, A.A. Ghorbani

(6) 17:30→17:35: Slowloris is run from host 192.168.2.113 against server192.168.5.122. Even though the required signatures for detecting Slowloris at-tacks are turned on, Snort is unable to detect this attack. As a result of shuttingthe server down, hosts are unable to access the site and Snort triggers a collec-tion of alerts. Avisa2 is able to pick up on this behavior and as illustrated inFig. 5(c) and Table 2(d), server22 is ranked second in the period under attack.(7,8) 17:35→17:40: SMB vulnerability is exploited on host 192.168.3.115 anda remote desktop connection is returned to the attacker. Avisa2 detects thisbehavior and as illustrated in Table 2(e), host15 is ranked second.(9) 17:40→17:45: Host 192.168.2.115 downloads malicious files from remoteserver.(10) 17:45→17:50: Slowloris is run from host 192.168.3.115 against server192.168.5.122. Avisa2 is able to pick up on this behavior and as illustrated inTable 2(f), host15 and server22 are amongst the top 3 hosts in the period underattack.(11,12) 17:50→17:55: SMB vulnerability is exploited on host 192.168.3.117 and aremote desktop connection is returned to the attacker-Conncetion Lost. Avisa2

detects this behavior and as illustrated in Table 2(g) host17 is ranked first.(13,14) 18:00→18:05: SMB vulnerability is exploited on host 192.168.2.106 anda remote desktop connection is returned to the attacker. Avisa2 detects thisbehavior and as illustrated in Table 2(h) host6 is ranked second.(15,16) 18:05→18:10: Slowloris is run from host 192.168.2.106 against server192.168.5.122. Avisa2 is able to pick up on this behavior and as illustrated inTable 2(i), host6 and server22 are amongst the top 3 hosts in the period underattack.(17,18) 18:10→18:15: SMB vulnerability is exploited on host 192.168.1.101 anda remote desktop connection is returned to the attacker. Avisa2 detects thisbehavior and as illustrated in Table 2(j) host1 is ranked second.(19)18:15→18:20: Host 192.168.1.101 downloads malicious files from remoteserver.(20) 18:20→18:25: Slowloris is run from host 192.168.1.101 against server192.168.5.122. Avisa2 is able to pick up on this behavior and as illustrated inTable 2(k), host1 and server22 are amongst the top 3 hosts in the period underattack.

192.168.1.103

192.168.2.112

192.168.2.109

192.168.3.117

192.168.3.115

192.168.3.114

192.168.3.116

192.168.4.121

192.168.4.118

192.168.5.122

192.168.1.103

192.168.2.112

192.168.2.113

192.168.2.108

192.168.2.109

192.168.3.117

192.168.3.114

192.168.3.115

192.168.3.116

192.168.4.121

192.168.4.118

192.168.5.122

192.168.1.103

192.168.2.112

192.168.2.113

192.168.2.108

192.168.2.109

192.168.3.117

192.168.3.114

192.168.3.115

192.168.3.116

192.168.4.121

192.168.4.118

192.168.5.122

(a) 17:15 17:20 (2) (b) 17:20 17:25 (3,4) (c) 17:30 17:35 (6)

Fig. 5. Screen shots of Avisa2 displaying the stages of attack scenario 2

Situational Assessment of Intrusion Alerts 411

8 Conclusion

In this research we presented Avisa2, a network security visualization systemthat can assist in comprehending IDS alerts and detecting abnormal patternactivities within a network. Visual constraints, complexity of relations betweenintrusion alerts, and limitations on perceiving situational awareness in high vol-ume environments were the driving force behind the development of the heuristicfunctions. Three categories of heuristic functions along with seven heuristic fea-tures were introduced and formalized. The effectiveness of Avisa2 in detectingmalicious and abnormal behavior was evaluated on two multi-step attack scenar-ios, each intentionally focused on a particular attack type, network service, andnetwork range. Avisa2 was capable of prioritizing hosts that were the subject ofattacks or hosts on which the attacks were executed. The effectiveness of Avisa2

is reliant primarily on the detection of the underlying IDS, or in formal terms,its true positive rate. However, this does not mean that the false positive rateof the IDS must also be low, as the heuristic functions of Avisa2 are capable offiltering and eliminating recurring events and prioritizing hosts receiving alertsfrom multiple sources and types.

Acknowledgment. This work was supported in part by the Natural Sciencesand Engineering Research Council of Canada (NSERC) through a grant STPGP-381091 to Dr. Ghorbani.

References

1. Shiravi, H., Shiravi, A., Ghorbani, A.A.: A survey of visualization systems fornetwork security. IEEE Transactions on Visualization and Computer Graph-ics 99(PrePrints) (2011)

2. Few, S.: Now You See It: Simple Visualization Techniques for Quantitative Anal-ysis, 1st edn. Analytics Press (2009)

3. Endsley, M.: Toward a theory of situation awareness in dynamic systems: Situationawareness. Human Factors 37(1), 32–64 (1995)

4. Ball, R., Fink, G.A., North, C.: Home-centric visualization of network traffic forsecurity administration. In: Proceedings of the ACM Workshop on Visualizationand Data Mining for Computer Security, pp. 55–64 (2004)

5. Goodall, J.R., Lutters, W.G., Rheingans, P., Komlodi, A.: Preserving the big pic-ture: visual network traffic analysis with tnv. In: IEEE Workshop on Visualizationfor Computer Security (VizSEC 2005), pp. 47–54 (2005)

6. Erbacher, R., Walker, K., Frincke, D.: Intrusion and misuse detection in large-scalesystems. IEEE Computer Graphics and Applications, 38–48 (2002)

7. McPherson, J., Ma, K., Krystosk, P., Bartoletti, T., Christensen, M.: PortVis:a tool for port-based detection of security events. In: Proceedings of the ACMWorkshop on Visualization and Data Mining for Computer Security, pp. 73–81(2004)

8. PaloAltoNetworks: Re-Inventing Network Security (2010),http://www.paloaltonetworks.com/literature/whitepapers/Re-inventing

-Network-Security.pdf

(online; accessed July 12, 2011)

412 H. Shiravi, A. Shiravi, A.A. Ghorbani

9. Shiravi, H., Shiravi, A., Ghorbani, A.: Ids Alert Visualization and Monitoringthrough Heuristic Host Selection. In: Soriano, M., Qing, S., Lopez, J. (eds.) ICICS2010. LNCS, vol. 6476, pp. 445–458. Springer, Heidelberg (2010)

Appendix A: Output scores of Avisa2 in attack scenario 1

Table 1. Output scores of Avisa2 in attack scenario 1

SCO

RE

HO

ST

192.

168.

2.11

219

2.16

8.1.

101

192.

168.

2.10

6

192.

168.

4.11

8

192.

168.

4.12

0

192.

168.

4.12

1

192.

168.

1.10

5

192.

168.

1.10

2

192.

168.

2.11

0

192.

168.

2.10

8

192.

168.

2.10

9

192.

168.

2.11

1

192.

168.

2.11

3

192.

168.

2.10

7

192.

168.

1.10

3

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

3.07

2.35

2.34

2.05

2.04

2.03

1.27

1.21

1.20

1.20

1.20

1.20

1.18

1.09

0.93

SCO

RE

HO

ST

192.

168.

2.11

219

2.16

8.2.

109

192.

168.

1.10

1

192.

168.

2.10

6

192.

168.

4.12

0

192.

168.

4.11

8

192.

168.

4.12

1

192.

168.

1.10

2

192.

168.

2.11

1

192.

168.

2.11

0

192.

168.

2.10

8

192.

168.

1.10

5

192.

168.

2.10

7

192.

168.

1.10

3

192.

168.

2.11

3

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

2.60

2.53

2.39

2.12

1.60

1.45

1.45

1.26

1.23

1.00

1.00

0.97

0.97

0.94

0.92

SCO

RE

HO

ST

192.

168.

1.10

519

2.16

8.4.

121

192.

168.

2.10

6

192.

168.

2.11

1

192.

168.

1.10

4

192.

168.

4.11

9

192.

168.

1.10

2

192.

168.

1.10

1

192.

168.

3.11

7

192.

168.

2.11

0

192.

168.

3.11

6

192.

168.

2.11

2

192.

168.

1.10

3

192.

168.

4.11

8

192.

168.

3.11

5

TIM

E: 16

:10

1

6:15

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

3.62

3.35

2.53

2.32

2.19

1.99

1.94

1.74

1.73

1.48

1.48

1.48

1.48

1.48

1.48

SCO

RE

HO

ST

192.

168.

1.10

219

2.16

8.1.

103

192.

168.

1.10

4

192.

168.

1.10

1

192.

168.

1.10

5

192.

168.

2.10

6

192.

168.

2.10

7

192.

168.

3.11

7

192.

168.

2.11

1

192.

168.

4.12

1

192.

168.

2.11

3

192.

168.

3.11

6

192.

168.

2.11

2

192.

168.

2.11

0

192.

168.

4.11

8

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

3.37

3.10

2.95

2.60

2.48

2.27

1.00

0.92

0.92

0.87

0.86

0.76

0.76

0.76

0.76

SCO

RE

HO

ST

192.

168.

2.10

619

2.16

8.2.

112

192.

168.

2.11

0

192.

168.

2.10

8

192.

168.

2.10

9

192.

168.

1.10

5

192.

168.

2.11

3

192.

168.

2.10

7

192.

168.

1.10

2

192.

168.

2.11

1

192.

168.

1.10

3

192.

168.

1.10

1

192.

168.

1.10

4

192.

168.

4.11

9

192.

168.

3.11

7

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

3.27

2.63

2.63

2.63

2.63

2.52

2.27

2.13

2.11

1.82

1.70

1.62

1.62

1.60

0.75

SCO

RE

HO

ST

192.

168.

5.12

319

2.16

8.2.

112

192.

168.

5.12

4

192.

168.

2.10

6

192.

168.

1.10

1

192.

168.

4.12

1

192.

168.

2.11

1

192.

168.

2.10

9

192.

168.

4.11

9

192.

168.

1.10

2

192.

168.

1.10

3

192.

168.

1.10

4

192.

168.

2.11

3

192.

168.

4.11

8

192.

168.

2.11

0

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

3.06

2.66

2.48

1.96

1.77

1.69

1.15

0.99

0.93

0.92

0.66

0.62

0.58

0.57

0.56

TIM

E: 16

:35

1

6:40

TIM

E: 16

:40

1

6:45

TIM

E: 16

:45

1

6:50

TIM

E: 16

:50

1

6:55

TIM

E: 16

:55

1

7:00

(a)

SCO

RE

HO

ST

192.

168.

5.12

3

192.

168.

1.10

4

192.

168.

2.10

6

192.

168.

2.11

2

192.

168.

1.10

1

192.

168.

1.10

5

192.

168.

2.11

1

192.

168.

4.11

9

192.

168.

5.12

4

192.

168.

2.10

9

192.

168.

4.12

1

192.

168.

1.10

2

192.

168.

2.11

3

192.

168.

2.11

0

192.

168.

2.10

8

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

3.20

2.33

2.23

1.94

1.85

1.70

1.55

1.51

1.40

1.31

1.29

1.28

1.20

1.15

1.15

SCO

RE

HO

ST

192.

168.

4.12

119

2.16

8.5.

123

192.

168.

1.10

1

192.

168.

2.10

6

192.

168.

2.11

2

192.

168.

2.11

1

192.

168.

1.10

2

192.

168.

1.10

4

192.

168.

1.10

5

192.

168.

5.12

4

192.

168.

1.10

3

192.

168.

4.11

9

192.

168.

2.10

9

192.

168.

2.10

7

192.

168.

4.11

8

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

2.84

2.74

1.90

1.82

1.60

1.23

1.22

1.22

1.13

1.02

0.97

0.92

0.82

0.81

0.76

SCO

RE

HO

ST

192.

168.

2.11

219

2.16

8.1.

101

192.

168.

5.12

3

192.

168.

4.12

1

192.

168.

2.10

6

192.

168.

5.12

4

192.

168.

2.11

1

192.

168.

1.10

2

192.

168.

2.10

9

192.

168.

1.10

319

2.16

8.1.

104

192.

168.

1.10

5

192.

168.

2.11

3

192.

168.

2.11

0

192.

168.

2.10

8

TIM

E: 17

:00

1

7:05

. . .

. . .

. . .

. . .

. . .

. .

. . .

. . .

2.29

2.28

2.20

2.19

2.01

1.94

1.38

1.04

1.03

0.78

0.73

0.71

0.70

0.67

0.67

SCO

RE

HO

ST

192.

168.

2.11

2

192.

168.

1.10

1

192.

168.

4.11

9

192.

168.

2.10

6

192.

168.

4.12

1

192.

168.

5.12

3

192.

168.

2.11

1

192.

168.

5.12

4

192.

168.

2.10

9

192.

168.

1.10

2

192.

168.

2.11

3

192.

168.

1.10

5

192.

168.

2.11

0

192.

168.

2.10

8

192.

168.

4.11

8

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

2.74

2.35

2.27

2.10

1.68

1.67

1.60

1.44

1.24

1.10

1.05

1.02

1.01

1.01

0.88

SCO

RE

HO

ST

192.

168.

5.12

319

2.16

8.2.

106

192.

168.

1.10

4

192.

168.

2.11

2

192.

168.

1.10

1

192.

168.

4.11

9

192.

168.

4.12

1

192.

168.

2.11

1

192.

168.

5.12

4

192.

168.

1.10

2

192.

168.

2.10

9

192.

168.

4.11

8

192.

168.

2.11

3

192.

168.

1.10

3

192.

168.

2.11

0

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

3.16

2.05

1.97

1.66

1.57

1.30

1.11

1.02

0.94

0.87

0.74

0.63

0.62

0.60

0.57

TIM

E: 17

:05

1

7:10

TIM

E: 17

:10

1

7:15

TIM

E: 17

:15

1

7:20

TIM

E: 17

:20

1

7:25

(b)

(c)

(d)

(e)

(f)

(g)

(h)

(i)(j)

(k)

Situational Assessment of Intrusion Alerts 413

Appendix B: Output scores of Avisa2 in attack scenario 2

Table 2. Output scores of Avisa2 in attack scenario 2

(a)

(b)

(c)

(d)

(e)

(f)

(g)

(h)

(i)(j)

(k)

SCO

RE

HO

ST

192.

168.

3.11

719

2.16

8.5.

122

192.

168.

3.11

4

192.

168.

3.11

5

192.

168.

2.11

2

192.

168.

2.11

3

192.

168.

3.11

6

192.

168.

4.12

1

192.

168.

2.10

8

192.

168.

1.10

3

192.

168.

2.10

9

192.

168.

4.11

8

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

4.53

3.56

2.64

2.46

2.00

1.70

1.26

0.65

0.59

0.50

0.22

0.22

SCO

RE

HO

ST

192.

168.

3.11

719

2.16

8.3.

115

192.

168.

5.12

2

192.

168.

3.11

4

192.

168.

2.11

2

192.

168.

3.11

6

192.

168.

4.12

1

192.

168.

2.11

3

192.

168.

2.10

8

192.

168.

2.10

9

192.

168.

4.11

8

192.

168.

1.10

3

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

4.68

4.59

3.65

2.49

2.32

1.43

1.39

1.17

0.76

0.40

0.40

0.35

SCO

RE

HO

ST

192.

168.

2.11

219

2.16

8.4.

121

192.

168.

5.12

2

192.

168.

1.10

3

192.

168.

3.11

4

192.

168.

2.10

9

192.

168.

4.11

8

TIM

E: 16

:55

1

7:00

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

3.96

3.27

2.58

2.23

1.26

1.23

1.22

SCO

RE

HO

ST

192.

168.

3.11

719

2.16

8.3.

115

192.

168.

3.11

4

192.

168.

2.11

2

192.

168.

3.11

6

192.

168.

4.12

1

192.

168.

1.10

3

192.

168.

5.12

2

192.

168.

4.11

8

192.

168.

2.10

9

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

6.34

3.76

3.74

3.02

2.59

1.02

0.86

0.12

0.10

0.10

SCO

RE

HO

ST

192.

168.

3.11

719

2.16

8.2.

112

192.

168.

3.11

4

192.

168.

2.11

3

192.

168.

3.11

5

192.

168.

2.10

8

192.

168.

3.11

6

192.

168.

4.12

1

192.

168.

1.10

3

192.

168.

2.10

9

192.

168.

4.11

8

192.

168.

5.12

2

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

5.43

3.50

2.93

2.87

2.84

2.72

1.67

1.32

0.54

0.10

0.10

0.10

SCO

RE

HO

ST

192.

168.

3.11

519

2.16

8.3.

117

192.

168.

5.12

2

192.

168.

3.11

4

192.

168.

2.11

2

192.

168.

2.11

3

192.

168.

3.11

6

192.

168.

2.10

8

192.

168.

4.12

1

192.

168.

2.10

9

192.

168.

4.11

8

192.

168.

1.10

3

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

4.97

4.63

4.40

3.12

2.12

1.81

1.66

1.43

1.19

1.14

1.14

1.02

TIM

E: 17

:15

1

7:20

TIM

E: 17

:20

1

7:25

TIM

E: 17

:30

1

7:35

TIM

E: 17

:35

1

7:40

TIM

E: 17

:45

1

7:50

SCO

RE

HO

ST

192.

168.

3.11

719

2.16

8.1.

101

192.

168.

5.12

2

192.

168.

2.11

2

192.

168.

2.10

6

192.

168.

2.10

9

192.

168.

3.11

6

192.

168.

4.12

1

192.

168.

3.11

5

192.

168.

4.11

8

192.

168.

1.10

3

192.

168.

2.10

8

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

4.42

3.37

3.36

2.30

1.62

1.35

1.32

1.29

1.22

1.13

1.13

1.13

SCO

RE

HO

ST

192.

168.

3.11

719

2.16

8.5.

122

192.

168.

1.10

1

192.

168.

2.11

2

192.

168.

2.10

6

192.

168.

2.10

9

192.

168.

4.12

1

192.

168.

3.11

6

192.

168.

2.10

8

192.

168.

4.11

8

192.

168.

1.10

3

192.

168.

2.11

3

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

4.32

4.13

2.77

2.04

1.48

1.22

1.20

1.16

1.06

1.06

1.06

1.06

SCO

RE

HO

ST

192.

168.

3.11

719

2.16

8.2.

106

192.

168.

2.11

2

192.

168.

3.11

6

192.

168.

5.12

2

192.

168.

2.10

9

192.

168.

4.12

1

192.

168.

3.11

5

192.

168.

3.11

4

192.

168.

4.11

8

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

4.84

4.00

2.65

2.53

2.35

2.26

2.24

2.17

1.95

1.49

SCO

RE

HO

ST

192.

168.

3.11

719

2.16

8.5.

122

192.

168.

2.10

6

192.

168.

2.11

2

192.

168.

2.10

9

192.

168.

3.11

6

192.

168.

4.12

1

192.

168.

4.11

8

192.

168.

1.10

3

192.

168.

2.10

8

192.

168.

3.11

5

192.

168.

2.11

3

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

4.98

4.25

4.08

2.70

2.43

2.34

2.02

1.74

1.74

1.73

1.72

1.71

TIM

E: 18

:00

1

8:05

TIM

E: 18

:05

1

8:10

TIM

E: 18

:10

1

8:15

TIM

E: 18

:20

1

8:25

SCO

RE

HO

ST

192.

168.

3.11

719

2.16

8.5.

122

192.

168.

3.11

5

192.

168.

3.11

4

192.

168.

2.11

2

192.

168.

2.11

3

192.

168.

2.10

9

192.

168.

4.11

8

192.

168.

3.11

6

192.

168.

1.10

3

192.

168.

2.10

8

192.

168.

4.12

1

. . .

. . .

. . .

. . .

. . .

. . .

. . .

. . .

6.68

3.85

3.73

3.36

2.64

1.61

1.53

1.53

1.51

1.47

1.42

1.34

TIM

E: 17

:50

1

7:55

192.

168.

1.10

3

192.

168.

2.10

8

192.

168.

2.11

3

1.48

1.48

1.42

192.

168.

3.11

41.

4519

2.16

8.2.

113

192.

168.

3.11

4

1.13

1.11

192.

168.

3.11

4

192.

168.

3.11

5

1.06

1.05